Our Insights

Part 1 - The GDPR revolution: data subject rights

The European Union's General Data Protection Regulation is set to transform how financial services firms manage and interact with personal data

February 6, 2018

In this article series The GDPR revolution, RBC Investor & Treasury Services explores how the European Union’s General Data Protection Regulation will affect data subject rights, compliance and control procedures, and management of breaches by financial institutions.

As the clock ticks towards the May 25, 2018 effective date of the European Union's (EU) General Data Protection Regulation (GDPR), the financial services industry remains focused on aligning with the requirements, particularly given the steep fines that will apply for non-compliance.

GDPR replaces the 1995 Data Protection Directive and is aimed at protecting all EU citizens from privacy and data breaches in an “increasingly data-driven world that is vastly different".1 It spans the globe as it also affects businesses offering services into the EU, regardless of where the business is based.

As noted by the European Commission, “The General Data Protection Regulation enables the free flow of data across the Digital Single Market. It will better protect the privacy of Europeans and reinforce trust and security for consumers, while at the same time opening up new opportunities for businesses, especially smaller ones.”2

The rights of individuals

In a world where data protection is critical and cyber dangers can be crippling, GDPR strengthens the rights of individuals to control their own data.

The balance of power shifts to the ‘data subject’ in an effort to “protect and empower all EU citizens' data privacy."3 This transfer of data ownership creates challenges for the financial services industry, which increasingly depends on big data to tailor products and which has been accustomed to holding personal information without having to specify why or for how long. GDPR, however, puts the onus on any organization that holds personal data to justify permission to use that data while also guaranteeing its protection.

High stakes, big investment

The stakes are high with possible fines for non-compliance of up to EUR 20 million or four percent of a company's global turnover. Consultancy firm Oliver Wyman estimates that FTSE 100 companies would have paid up to GPB 25 billion for data breaches over the past five years if the GDPR had been in force.4 The potential reputational damage is also high with customers increasingly prioritizing data security.

GDPR compliance by financial services firms will likely be complex and costly.

A survey by PwC indicated that 40 percent of firms affected by GDPR could spend at least USD 10 million to be compliant.5 At some banks, a customer's data may be held on more than 100 systems and even straightforward changes can involve significant work. "Sometimes even the simplest changes take months and months. Multiply that by a hundred and it becomes a very complicated task," said Chris McMillan, a partner at Oliver Wyman.6 In alignment with the regulation, firms with large-scale processing activities have had to appoint Data Protection Officers who are responsible for monitoring compliance with GDPR and for cooperating with the firm’s designated supervisory authority on matters related to the processing of personal data.7

Obtaining informed consent

GDPR ratchets up the need for informed consent and places the responsibility firmly on the shoulders of the data controller – which keeps or processes information about the data subject – to demonstrate it has obtained valid permission. Article 7(2) of GDPR states that in order for a request for consent to be valid, it “shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."8 This requirement is a change for financial institutions that will need clear and affirmative action from the data subject for every different activity. Silence, inactivity or pre-ticked boxes will not be sufficient, according to the regulation.9 Also, consent is given for a specific purpose and can only be used for that purpose. Therefore, data retention policies must be amended to define the reasons for retaining data. Article 13 also requires data controllers to stipulate the period for which the personal data will be stored and the criteria used to determine the period.10

Data subjects can also withdraw consent at any time, request their data under the right to “data portability" or request that it be deleted under the “right to be forgotten."11 Firms must have mechanisms to handle erasure requests and systems capable of searching for any and all personal data. They also need to closely track data inventory and be able to prove they have removed data.

Compliance is attractive

Given the complexity of the legislation, Gartner forecasts that more than half of companies affected may not be in full compliance with the requirements by the implementation deadline.12 Non-compliance could have marked consequences for company reputations and impact their ability to retain and win new clients if there is a low level of trust about the use of their data. Only one in five UK consumers claim to trust financial institutions with their information and 79 percent say they would consider taking their business to another company if their service provider was not compliant with GDPR, according to Thales.13

Against this backdrop, firms capable of demonstrating compliance will become increasingly attractive as privacy takes on greater importance.

Also, market entrants who can build their systems from the ground up and be compliant from the outset may well gain an edge over institutions with legacy systems that may require more extensive revisions.

With client trust at stake and the threat of steep fines, firms must act quickly to achieve compliance. “GDPR is a change in privacy legislation that has far-reaching impact. The work required to comply can be significant and firms should not underestimate the effort required, especially in the face of the rapidly approaching effective date,” said Wendy Phillis, Managing Director, Governance and Regulatory Solutions at RBC Investor & Treasury Services.

Next in RBC Investor & Treasury Services' The GDPR Revolution series: the key steps that market participants should undertake to ensure they have adequate compliance measures in place under GDPR.

Key insights

The GDPR is geared toward protecting the privacy of citizens and places significant demands on financial institutions

The stakes are high with hefty fines for non-compliance that can run as high as four percent of global turnover

GDPR compliance can be a strong selling point for firms in a world fraught with data breaches and cyberattacks